-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2018-009
=================================
Topic: bozohttpd can allow access to .htpasswd
Version: NetBSD-current: prior to 2018-11-22
NetBSD 8*: affected
NetBSD 7.2*: affected
NetBSD 7.1*: affected
pkgsrc: bozohttpd package prior to 20181123
Severity: Remote access to encrypted passwords and usernames
Fixed: NetBSD-current: November 21, 2018
NetBSD-8 branch: November 24, 2018
NetBSD-7-2 branch: November 24, 2018
NetBSD-7-1 branch: November 24, 2018
pkgsrc-current: bozohttpd-20181123 corrects this issue
Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Under certain circumstances bozohttpd(8) can be tricked into revealing
the contents of certain special files. These special files are
configuration files for bozohttpd(8) and include the standard .htpasswd
file for HTTP Basic Authorisation (RFC-7617), which contains both a
list of user names and their encrypted passwords.
Technical Details
=================
There were two problems in the handling of bozohttpd special files. The
first was a missing check against .htpasswd itself in some cases, which
would allow access to the encrypted passwords and username to be seen for
the top-level directory. Any empty top-level directory name elided the
check for any special files. All requests now check special files.
The second was lack of short circuit when the error was detected. The
error would be returned, but instead of closing the connection, the
contents of the requested file was also returned. This was caused by
not checking the return value of bozo_check_special_files(). This
function is now marked with the "warn_unused_result" attribute.
Solutions and Workarounds
=========================
Users of any bozohttpd(8) features using special files should be upgraded
to bozohttpd 20181123 or later. There is no workaround except for not
using these features, which may mean simply disabling parts of the served
tree until the server is upgraded. Consider changing all the passwords used
in the .htpasswd as they may be compromised.
To apply a fixed version from a releng build, fetch a fitting base.tgz
from nyftp.netbsd.org and extract the fixed binaries:
cd /var/tmp
ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/libexec/httpd
with the following replacements:
REL = the release version you are using
BUILD = the source date of the build. 20181125* and later will fit
ARCH = your system's architecture
The following instructions describe how to upgrade your bozohttpd
binaries by updating your source tree and rebuilding and installing
a new version of bozohttpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2018-11-21
should be upgraded to NetBSD-current dated 2018-11-22 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/libexec/httpd
To update from CVS, re-build, and re-install bozohttpd:
# cd src
# cvs update -r netbsd-8 -d -P src/libexec/httpd
# cd src/libexec/httpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 8.*:
Systems running NetBSD 8.* sources dated from before
2018-11-24 should be upgraded from NetBSD 8.* sources dated
2018-11-25 or later.
The following files/directories need to be updated from the
netbsd-8 branche:
src/libexec/httpd
To update from CVS, re-build, and re-install bozohttpd:
# cd src
# cvs update -r netbsd-8 -d -P src/libexec/httpd
# cd src/libexec/httpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 7.*:
Systems running NetBSD 7.* sources dated from before
2018-11-24 should be upgraded from NetBSD 7.* sources dated
2018-11-25 or later.
The following files/directories need to be updated from the
netbsd-7, netbsd-7-2 or netbsd-7-1 branches:
src/libexec/httpd
To update from CVS, re-build, and re-install bozohttpd:
# cd src
# cvs update -r <branch_name> -d -P src/libexec/httpd
# cd src/libexec/httpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Thanks to JP for reporting this issue and helping find the problematic code.
Thanks to Matthew Green for fixing this and other DoS issues reported by JP.
Revision History
================
2018-12-11 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJcD89UAAoJEAZJc6xMSnBuYZkP/2+xBFItowBMvEPuoJhwE6rH
MRa/K+IqDRkJwJXvcbDXBVthXWVCFieYQYCxTz4rSeVPS1wBI81k7P6p2Bh9IwIh
JcespXvf111gAp6BlHRju2WJ9dYMsw1E6HjWA2C4SvZ6+wdo3gVgxyoX2nL2P7cb
jwFOiCDDKqUFvL0NRB2fF1lqQM5y/AW2uFqeGXn7PgwZBnNg7GBH5Ar7Hxe16cGo
BaI+O37jkjziY9Fle5FY0EndWtmk8BKIDX9oHy+ONWp791ZY7uLBfLCoW3bUGcLY
cqp65J+xSGH0vsY9zRsdIVw9GHdpTgSYuOR3dNCaZpgbp2wheA5anppZ/NU/q+5c
rDxhB3zsvuMuOvPoJJcDXq9Xok0akYBDRgHMqNU4a04ukKwL6DKzk0NRCF/df36h
o7za3nX2UYm4i99arBACEIF9KUNl3dBZIMAS4AamodiSq5dVqIcxF4mcIVN0niFn
u3NE+q1Lliu7BLcpuBucVS/FHeue9QIGUI/UFuZs+8Yzeo6AZ63GM4Sh4RD3q2CB
wtADslVdHfdSPWTVL90jaIJ/5iQEunaXO9uGw5SUyVD55RgZgBNcO58/187Za1Ew
W5sRyFrFpvhOfygG4wHmbzhznO8VQzUSLYouURiIypjrf2lNIAECqHEftRkLtMP5
7AeODQcaUWVTvVDvx/rC
=pB3q
-----END PGP SIGNATURE-----